A icon of a padlock

Enterprise-grade security 
for every team

Led by the founders of Boomi, we know how important security is. With a team with decades of experience, Guru works around the clock to ensure your data is secure.

Don’t just take our word for it — more than 10,000 companies use and trust Guru

Guru meets the highest security standards

Soc 2 Type 2

Guru conducts an independent SOC 2, Type II audit on our knowledge management system and we share the report under NDA.
Guru uses an independent third party to conduct a SOC 2, Type II audit on its knowledge management system. This audit covers the SOC 2 Common Criteria and the Confidentiality and Privacy trust services criteria. We’re happy to share this report with clients or prospects with a signed non-disclosure agreement on file.
+ More details
- Less details

PCI Compliant

Guru doesn't handle PCI data directly. We use a third party for payments, complete an annual SAQ (A-EP), and scan public connections monthly for vulnerabilities.
Guru does not process PCI data, but uses a third party for payment purposes. Accordingly, Guru conducts an annual Self Assessment Questionnaire (A-EP) and scans its public-facing connections monthly for security vulnerabilities.
+ More details
- Less details

GDPR Ready

Guru ensures GDPR compliance for EU customers through data handling processes, subprocessor agreements, and EU standard contractual clauses.
Guru takes the data handling of our EU customers seriously. Before the GDPR became enforceable in May 2018, we'd already added multiple processes to our security control framework and required our subprocessors to commit to security minimums through Data Processing Agreements. We're ready to meet data subject requests wherever and whenever they happen and we abide by the European Commission’s standard contractual clauses.
+ More details
- Less details

Data Privacy Framework

Guru complies with the EU-U.S., the EU (United Kingdom Extension)-U.S., and the Swiss-U.S. Data Privacy Framework (DPF) Program, and we’re committed to resolving complaints about personal data collection and usage.

Guru complies with the EU-U.S., EU (UK Extension)-U.S., and Swiss-U.S. Data Privacy Framework Program, and we’re committed to resolving complaints about personal data collection and usage

Guru complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Guru has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Guru has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in our privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Guru commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Guru at: privacy@getguru.com.
‍

In some cases, Guru  may share your information with third-party agents who perform tasks on Guru’s behalf. These agents are contractually obligated to handle your data in accordance with Guru’s instructions and the principles of the Data Privacy Framework.
‍

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Guru recognizes that Individuals must have access to personal information about them and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. Guru commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to the International Centre for Dispute Resolution, an alternative dispute resolution provider based in New York, the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the International Centre for Dispute Resolution are provided at no cost to you. If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  With respect to personal data received or transferred pursuant to the Data Privacy Framework. Guru is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that you have invoked binding arbitration by delivering notice to Guru and following the procedures and subject to conditions set forth in Annex I of Principles. Guru may disclose your personal information if required to do so by law or subpoena to the degree reasonably necessary to comply with a law, regulation or legal request; to protect the safety of any person; to address fraud, security or technical issues; or to protect Guru rights or property.

‍

Guru's policy is to protect your personal data and never disclose it in a manner inconsistent with our privacy policy. If, however, personal data covered by the policy is to be used for a new purpose that is materially different from that for which the personal data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party in a manner not specified in the policy, Guru will provide you with an opportunity to choose whether to have your personal data so used or disclosed. Requests to opt out of such uses or disclosures of personal data should be sent to us by way of privacy@getguru.com.

Guru is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Guru is responsible for the processing of personal information it receives under the DPF Principles, and subsequently transfers that information to a third party acting as an agent on its behalf.  Consistent with its privacy policy (“How We Share Your Information”), Guru shall remain liable under the DPF Principles if third parties process such personal information in a manner inconsistent with the DPF Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. 

+ More details
- Less details

Google CASA Certified

As a certified integration under Google’s CASA program, Guru has passed a third-party audit to ensure our Google Drive Source meets Google’s strict standards for data security and privacy.
CASA certification confirms that Guru meets Google’s security standards for authentication, encryption, infrastructure protection, and incident response. This audit helps enterprises confidently deploy Guru with Google Workspace, knowing our integration has been independently validated for compliance.
+ More details
- Less details

Microsoft 365 Certified

Guru has achieved Microsoft 365 Certification through Microsoft’s App Compliance Program, confirming that our app meets Microsoft’s rigorous standards for security, privacy, and compliance controls derived from leading industry frameworks.
The Microsoft 365 Certification logo represents that this app has achieved Microsoft 365 Certification. In addition to app security, this program reviews the practices and procedures the app publisher employs. While customer data is under control of the app publisher, you can rest assured that Microsoft has validated that the app will handle it in a safe and secure manner.
+ More details
- Less details

CA Privacy Rights Act

Guru acts as a service provider under CPRA as applicable.

Why you can trust Guru’s AI

Your data is always secure with us. Our ironclad protections safeguard your content no matter where it comes from, empowering you to use our AI-driven enterprise search with absolute confidence.

A icon of a padlock

Zero data retention by third-party LLMs

Your data is never used to train, nor retained by, third-party LLMs

Only you own your data and content

All of your team’s content and data is yours — not Guru’s

Role-based access control

Users will only see what they already have permission to see

An icon denoting AI-powered enterprise search

Private AI model

Your team’s AI model is unique to you and privately trained in your Guru instance based on your team’s data and interactions

Additional security features

Data encryption in transit and at rest
SAML-based SSO
SCIM provisioning
Granular app management
IP Whitelisting

Meet Wes

He used to work at the DoD and U.S Army Cyber Command. He's our InfoSec leader. He worries about security so that you don't have to. Learn more about Wes's role in security at Guru on our blog.

FAQs

How do you assess third parties before and during their service?

GenAI is an indispensable part of the Guru service, and Guru keeps source content protected throughout the entire input/output transaction. Key security features include:

  • Only relevant document matches are submitted to the third party LLM; thus ensuring the vast majority of content remains out of the AI workstream (Answers)
  • Any content submitted to the third party LLM for processing is immediately removed after the output is returned (“zero day retention”)
  • Guru does not use your content to train the LLM in any way; your content remains exclusively yours in a protected enclave
  • Our third party AI partner undergoes recurring risk reviews and is bound by a Data Protection Agreement
How do you administer your security program?

The program is run by a dedicated infosec leader who works in tandem with executive leadership and subject matter experts to codify procedures and ensure execution.

How do I know your security program is working?

Guru hires an independent audit firm to conduct an annual SOC 2, Type II audit, which includes not only the Common Criteria, but the Confidentiality and Privacy trust services criteria too.

Do you conduct a risk assessment at least annually?

Yes. We look at changes in the product line, the regulatory environment and the cyber threat. We assign risk scores and ensure executive leadership is routinely engaged in risk mitigation. These steps are verified in the annual SOC 2 audit.

How does my data flow through your system?
  • Guru offers multiple features to synchronize, process, store and make sense of your knowledge sources; inherent to all of these features is your ability to control which knowledge is shared
  • Guru will only process what it needs to deliver on its service, and will consequently minimize collection of content and restrict retentions time to the greatest extent possible
  • Your content is stored and managed in a highly secure AWS database, separated and protected from other client content by a unique team ID
  • Any use of integrators is controlled through highly secure, encrypted API connections
Do you have security policies and procedures?

We have a control framework based on the Center for Internet Security Controls, covering a wide compliance spectrum and ensuring we’re focused on the right things. We have nine separate policies that govern the following:

  • Security and Privacy Roles
  • Risk Management
  • Asset Management and Protection
  • Data Classification/Handling/Transmission
  • Data Recovery and Business Continuity
  • User Access Management
  • People and Training
  • Product Development and Change Management
  • Supplier Relationships
How do you ensure no unauthorized Guru employees see my data?

By default, Guru staff do not have access to client data. This is reserved for back end administrators with a demonstrated need. These members are approved by the CTO in writing and accesses are reviewed three times annually.

Is Guru HIPAA compliant?

Guru takes your medical privacy and security needs seriously, and while we are prepared to enter into a Business Associate Agreement for HIPAA compliance, we would first ask you to consider the likelihood that the Guru platform will ever consume, process, or store electronic protected health information. If you believe there's a reasonable chance that such personal data will find its way into the system, we are willing to provide a boilerplate BAA as Guru's signed assurance we will abide by the applicable HHS mandates for safeguarding your data.

How do you assess third parties before and during their service?

Any vendor with the potential to access sensitive client data is required to provide an external audit or, at a minimum, submit to a risk interview and demonstrate best security practices. These artifacts are refreshed annually to ensure no lapse in oversight. Moreover, each vendor is required to sign a Data Processing Agreement and contractually commit to data security practices.

Do you scan your network and your application for vulnerabilities?

Our public facing network is scanned monthly for certificate currency, open ports and protocols and security headers. Our application containers are scanned through AWS prior to deployment to discover and address vulnerabilities.

Is your application penetration tested?

Yes. The application is routinely pen tested by an outside agency no less than twice per year to reveal common OWASP vulnerabilities. An executive summary is available upon request.

Describe your data backup and recovery system.

We copy our database daily and save it to a disaster recovery site in an entirely separate region. We run a daily integrity check on that backup to make sure it’s usable if needed. The recovery point objective is 1 hour, with a recovery time objective of 24 hours.

Do you have an incident response program?

Guru maintains a comprehensive incident classification and response procedure, rehearsing potential incidents twice annually through a formal tabletop exercise. Participants capture lessons learned and constantly strive to make the program better. Though highly unlikely, any data breach would be communicated to a client’s Guru administrator within 24 hours of confirmation.

Do you perform security reviews during development?

Security is baked into the coding process, and a number of checks are performed to validate new code prior to deployment. Also, Guru’s developers undergo specialized security training to address common vulnerabilities such as Cross Site Scripting and SQL injection.

Are you ready to support privacy laws like CCPA and GDPR?

Guru fully respects both established and emerging privacy regulations and has created the necessary processes to support the rights of data subjects. Guru offers a Data Protection Agreement and contractually agrees to support any and all emerging privacy regulations as they apply to the service. Third parties are also required to document their security commitments consistent with laws and regulations.

Do third parties have access to my data?

In addition to AWS, Guru uses some third parties to perform certain components of its operations. Only vendors who have successfully demonstrated sufficient security capabilities and commitments are authorized to support the Guru system.

Ready to try AI built on your knowledge?

SOC 2 
|
GDPR
|
SSO
|
SCIM
|
Encryption
|
Zero data retention
|
Private Models
|
Learn more
100+ more
Watch a demo